Option 0 — Enabled (User Mode Code Integrity)#

Table of Contents#

What It Does
Why It Exists
Visual Anatomy — Policy Evaluation Stack
How to Set It (PowerShell)
XML Representation
Interaction with Other Options
When to Enable vs Disable
Real-World Scenario — End-to-End Walkthrough
What Happens If You Get It Wrong
Valid for Supplemental Policies?
OS Version Requirements
Summary Table

1. What It Does#

Enabled extends Windows Defender Application Control (WDAC / App Control for Business) enforcement from kernel-mode code down into the full user-mode execution space. Without this option, WDAC only validates drivers and other kernel-mode binaries — the hypervisor-protected layer that prevents unsigned code from loading into the Windows kernel. When you add Enabled:UMCI, the same policy rules are applied to every user-mode executable (.exe), dynamic-link library (.dll), COM object, packaged app, script host, and managed binary that is launched on the endpoint. The Virtualization-Based Security (VBS) Code Integrity component evaluates each binary against the allowed signers, hashes, and file attributes specified in the active policy; any binary that cannot satisfy at least one allow rule is blocked before it executes. This single rule option is the gateway that transforms WDAC from a kernel-only guardrail into a full application-whitelisting platform.

2. Why It Exists#

The Security Problem It Solves#

Before WDAC, organizations relied on software restriction policies (SRP) or AppLocker to control which applications could run in user space. Both technologies have well-documented bypass paths: AppLocker can be circumvented by placing binaries in writable directories included in its path rules, or by exploiting trusted installers. SRP has even weaker enforcement. Neither uses hardware-backed integrity checking.

Meanwhile, the most dangerous attacker activity — lateral movement tools, credential dumpers, ransomware payloads, living-off-the-land binaries (LOLBins) — executes entirely in user mode. A policy that only protects the kernel leaves the entire user-mode attack surface unguarded.

Enabled:UMCI solves this by:

Closing the user-mode attack surface. Every PE image that tries to map an executable section into a process must pass Code Integrity checks before the kernel grants execute permission.
Defeating LOLBin abuse. Legitimate binaries like wscript.exe, mshta.exe, or regsvr32.exe can be permit-listed narrowly. Unsigned or unexpected payloads dropped by those hosts are blocked.
Enabling script enforcement. Combined with Option 11 (Enabled Enforcement, implicit when UMCI is on for WDAC v2), PowerShell, VBScript, and JScript are also policy-gated.
Complying with NIST SP 800-167, CIS Controls, and ACSC Essential Eight. Application whitelisting at the user-mode layer is explicitly required by each of these frameworks for the highest maturity tiers.

3. Visual Anatomy — Policy Evaluation Stack#

1
flowchart TD
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef usermode fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
5
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
6
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
7
    classDef neutral fill:#1c1c2e,color:#a5b4fc,stroke:#3730a3
8

9
    A([Binary Execution Request]) --> B{Kernel Mode?}
10

11
    B -- Yes --> C[Kernel-mode CI Check\nAlways enforced by WDAC]:::kernel
12
    C --> D{Signed by\nallowed signer?}
13
    D -- Yes --> E([Driver Loads]):::allow
14
    D -- No --> F([Driver Blocked]):::block
15

16
    B -- No --> G{Option 0\nEnabled:UMCI\npresent?}:::option
17
    G -- No --> H([User binary runs\nUNCHECKED]):::block
18
    G -- Yes --> I[User-mode CI Check\nVBS-enforced]:::usermode
19
    I --> J{Policy rule\nmatches?}
20
    J -- Allow rule hit --> K([Binary executes]):::allow
21
    J -- No match / Deny hit --> L([Binary blocked\nEvent 3076/3077]):::block
22

23
    subgraph Policy_Layers["Policy Evaluation Layers"]
24
        direction TB
25
        M([Base Policy]):::neutral --> N([Supplemental Policies]):::neutral
26
        N --> O([Final Allow/Deny decision]):::neutral
27
    end
28

29
    J -.-> Policy_Layers

Where Option 0 Sits in the Stack#

1
flowchart LR
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef usermode fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
5

6
    A[Secure Boot] --> B[UEFI Locked Policy]:::kernel
7
    B --> C[Hypervisor HVCI]:::kernel
8
    C --> D[Kernel-mode CI\nOption 2 WHQL lives here]:::kernel
9
    D --> E[Option 0 Gate\nEnabled:UMCI]:::option
10
    E --> F[User-mode CI Enforcement\nEXE DLL COM Scripts]:::usermode
11
    F --> G[Script Enforcement\nPowerShell VBS JS]:::usermode

4. How to Set It (PowerShell)#

Prerequisites#

1
# Requires the ConfigCI module (Windows 10/11 Enterprise or Education)
2
# Must run as Administrator
3
Import-Module ConfigCI

Enable UMCI on an Existing Policy File#

1
# Enable Option 0 (adds Enabled:UMCI to the policy)
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 0

Remove UMCI (Revert to Kernel-Only Enforcement)#

1
# Remove Option 0 (policy reverts to kernel-mode-only enforcement)
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 0 -Delete

Create a New Policy with UMCI Enabled from the Start#

1
# Start from the DefaultWindows template (already includes UMCI)
2
$PolicyPath = "C:\Policies\Enforced_UMCI.xml"
3
Copy-Item "$env:SystemRoot\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml" $PolicyPath
4

5
# Verify Option 0 is present
6
(Get-Content $PolicyPath) | Select-String "UMCI"
7

8
# Set the policy GUID and version
9
Set-CIPolicyIdInfo -FilePath $PolicyPath -PolicyName "Corp Baseline" -PolicyId (New-Guid).Guid
10
Set-HVCIOptions -Strict -FilePath $PolicyPath

Compile and Deploy#

1
# Compile XML to binary
2
$BinPath = "C:\Policies\Enforced_UMCI.bin"
3
ConvertFrom-CIPolicy -XmlFilePath $PolicyPath -BinaryFilePath $BinPath
4

5
# Deploy (SiPolicy.p7 for legacy single-policy)
6
Copy-Item $BinPath "$env:SystemRoot\System32\CodeIntegrity\SiPolicy.p7b"
7

8
# For GUID-based multi-policy deployment
9
$GuidBin = "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{<PolicyGUID>}.cip"
10
Copy-Item $BinPath $GuidBin
11

12
# Refresh (no reboot required for update, reboot required for first enable)
13
& citool.exe --update-policy $BinPath

Audit First Workflow#

1
# Step 1 — Enable Option 3 (Audit Mode) alongside Option 0
2
Set-RuleOption -FilePath $PolicyPath -Option 3   # Audit mode
3
Set-RuleOption -FilePath $PolicyPath -Option 0   # UMCI
4

5
# Step 2 — Deploy, collect logs, review 3076 events
6
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
7
    Where-Object Id -eq 3076 |
8
    Select-Object TimeCreated, Message |
9
    Export-Csv "$env:USERPROFILE\Desktop\umci_audit.csv" -NoTypeInformation
10

11
# Step 3 — Build supplemental from audit log
12
$AuditEvents = New-CIPolicy -Audit -Level FilePublisher -Fallback Hash -UserPEs `
13
    -FilePath "C:\Policies\Supplemental_Audit.xml"
14

15
# Step 4 — Remove Audit Mode, leave UMCI
16
Set-RuleOption -FilePath $PolicyPath -Option 3 -Delete

5. XML Representation#

Option 0 Present in Policy XML#

1
<?xml version="1.0" encoding="utf-8"?>
2
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
3

4
  <VersionEx>10.0.0.0</VersionEx>
5
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
6
  <PlatformID>{2E07F7E4-194C-4D20-B96C-1498495910E7}</PlatformID>
7

8
  <Rules>
9
    <Rule>
10
      <Option>Enabled:UMCI</Option>
11
    </Rule>
12

13
    <Rule>
14
      <Option>Enabled:Audit Mode</Option>
15
    </Rule>
16
    <Rule>
17
      <Option>Required:WHQL</Option>
18
    </Rule>
19
  </Rules>
20

21

22
</SiPolicy>

Option 0 Absent (Kernel-Only Mode)#

1
<Rules>
2
  <Rule>
3
    <Option>Required:WHQL</Option>
4
  </Rule>
5
</Rules>

Verifying Presence via PowerShell#

1
# Parse the XML and check for the option
2
[xml]$Policy = Get-Content "C:\Policies\MyBasePolicy.xml"
3
$ns = New-Object System.Xml.XmlNamespaceManager($Policy.NameTable)
4
$ns.AddNamespace("si", "urn:schemas-microsoft-com:sipolicy")
5
$rules = $Policy.SelectNodes("//si:Rule/si:Option", $ns) | Select-Object -ExpandProperty '#text'
6
if ($rules -contains "Enabled:UMCI") {
7
    Write-Host "UMCI is ENABLED" -ForegroundColor Green
8
} else {
9
    Write-Host "UMCI is DISABLED (kernel-only)" -ForegroundColor Red
10
}

6. Interaction with Other Options#

Option Relationship Matrix#

Option	Name	Relationship with UMCI
3	Enabled Mode	Companion — pair during rollout to log without blocking
6	Enabled System Integrity Policy	Unrelated (signing of policy itself)
9	Enabled Boot Options Menu	Unrelated
10	Enabled Audit on Failure	Unrelated
11	Disabled Enforcement	Conflict — disables script checks that UMCI enables
12	Required Store Applications	Extends UMCI coverage to MSIX packages
14	Enabled Intelligence	Enhances UMCI with cloud reputation
16	Enabled Policy No Reboot	Deployment helper, neutral
20	Enabled Code Security	Extends UMCI to JIT-compiled code

Interaction Diagram#

1
flowchart TD
2
    classDef option0 fill:#1a1a0d,color:#fde68a,stroke:#713f12
3
    classDef companion fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef conflict fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
5
    classDef extends fill:#162032,color:#58a6ff,stroke:#1e3a5f
6
    classDef neutral fill:#1c1c2e,color:#a5b4fc,stroke:#3730a3
7

8
    UMCI["Option 0\nEnabled:UMCI"]:::option0
9

10
    AuditMode["Option 3\nEnabled:Audit Mode\n(Use during rollout)"]:::companion
11
    ScriptEnf["Option 11\nDisabled:Script Enforcement\n(Weakens UMCI)"]:::conflict
12
    StoreApps["Option 12\nRequired:Enforce Store Apps\n(Extends coverage)"]:::extends
13
    DynCode["Option 20\nEnabled:Dynamic Code Security\n(Extends to JIT)"]:::extends
14
    ThreatIntel["Option 14\nEnabled:Threat Intelligence\n(Cloud-enhanced)"]:::extends
15
    WHQL["Option 2\nRequired:WHQL\n(Kernel layer, independent)"]:::neutral
16
    BootMenu["Option 1\nEnabled:Boot Menu Protection\n(Not supported)"]:::neutral
17

18
    UMCI -->|"Pair during rollout"| AuditMode
19
    UMCI -->|"Weakened by"| ScriptEnf
20
    UMCI -->|"Extended by"| StoreApps
21
    UMCI -->|"Extended by"| DynCode
22
    UMCI -->|"Enhanced by"| ThreatIntel
23
    UMCI -.->|"Independent layer"| WHQL
24
    UMCI -.->|"Unsupported option"| BootMenu

The UMCI + Audit Mode Lifecycle#

1
stateDiagram-v2
2
    [*] --> KernelOnly: Policy deployed\nwithout Option 0
3

4
    KernelOnly --> AuditUMCI: Add Option 0 + Option 3\n(Safe rollout start)
5
    AuditUMCI --> ReviewLogs: Collect 3076 events\nfor 2–4 weeks
6
    ReviewLogs --> RefinePolicy: Add missing signers/hashes\nfrom audit data
7
    RefinePolicy --> EnforcedUMCI: Remove Option 3\nKeep Option 0
8
    EnforcedUMCI --> [*]: Full enforcement\nactive

7. When to Enable vs Disable#

1
flowchart TD
2
    classDef yes fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef no fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef question fill:#162032,color:#58a6ff,stroke:#1e3a5f
5
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
6

7
    Start([Should I enable Option 0?]) --> Q1{Is endpoint a\ncritical/secured asset?}:::question
8
    Q1 -- Yes --> Q2{Can you inventory\nall authorized software?}:::question
9
    Q2 -- Yes --> Q3{Is there a change\nmanagement process?}:::question
10
    Q3 -- Yes --> ENABLE([Enable UMCI\nwith Audit Mode first]):::yes
11
    Q3 -- No --> WARN1([Enable UMCI + Audit Mode\nBuild CM process in parallel]):::warn
12
    Q2 -- No --> WARN2([Run Audit Mode ONLY first\nInventory gaps before enforce]):::warn
13
    Q1 -- No --> Q4{Is it a legacy\nor OT system?}:::question
14
    Q4 -- Yes --> DISABLE([Consider kernel-only or\nskip WDAC entirely]):::no
15
    Q4 -- No --> Q5{Development or\nbuild machine?}:::question
16
    Q5 -- Yes --> WARN3([Use supplemental policy\nfor dev tools or skip UMCI]):::warn
17
    Q5 -- No --> ENABLE

Decision Reference Table#

Scenario	Recommendation
Corporate managed endpoint (standard user)	Enable UMCI — highest priority
Executive / VIP workstation	Enable UMCI — zero-tolerance posture
Developer workstation	Audit mode first, then scoped supplemental
OT / SCADA system	Evaluate carefully; legacy drivers may break
Kiosk / locked-down device	Enable UMCI — ideal use case
Domain controller	Enable UMCI — critical infrastructure
CI/CD build server	Consider kernel-only or tightly scoped UMCI
Air-gapped system	Enable UMCI — no internet needed

8. Real-World Scenario — End-to-End Walkthrough#

Scenario: Ransomware Lateral Movement Blocked by UMCI#

An attacker compromises a phishing-vulnerable endpoint and drops a Cobalt Strike beacon (beacon.dll) into %TEMP%. Without UMCI, the DLL loads freely. With UMCI enabled, every DLL must match a policy rule.

1
sequenceDiagram
2
    autonumber
3
    actor Attacker
4
    participant PhishEmail as Phishing Email
5
    participant OutlookExe as Outlook.exe (User Process)
6
    participant TempDir as %TEMP%\beacon.dll
7
    participant WinKernel as Windows Kernel (CI)
8
    participant VBS as VBS / HVCI Layer
9
    participant PolicyEng as Policy Engine
10
    participant EventLog as Event Log (3077)
11
    participant SOC as SOC / SIEM
12

13
    Attacker ->> PhishEmail: Send malicious macro attachment
14
    PhishEmail ->> OutlookExe: User opens, macro executes
15
    OutlookExe ->> TempDir: Write beacon.dll to disk
16
    OutlookExe ->> WinKernel: LoadLibrary("beacon.dll")
17
    WinKernel ->> VBS: Request DLL image load
18
    VBS ->> PolicyEng: Evaluate beacon.dll against active policy
19
    PolicyEng -->> VBS: No matching Allow rule (unsigned / unknown hash)
20
    VBS -->> WinKernel: BLOCK — STATUS_ACCESS_DENIED
21
    WinKernel -->> OutlookExe: LoadLibrary returns NULL
22
    WinKernel ->> EventLog: Log Event ID 3077 (Enforcement block)
23
    EventLog ->> SOC: Forward via WEF / SIEM ingestion
24
    SOC -->> Attacker: Alert raised — lateral movement detected and stopped

Policy Preparation Walkthrough#

1
sequenceDiagram
2
    autonumber
3
    actor Admin
4
    participant PolicyXML as Policy XML File
5
    participant CIModule as ConfigCI Module
6
    participant TestVM as Test VM
7
    participant AuditLog as Audit Event Log
8
    participant ProdEndpoint as Production Endpoint
9

10
    Admin ->> PolicyXML: Copy DefaultWindows_Enforced.xml
11
    Admin ->> CIModule: Set-RuleOption -Option 0 (UMCI)
12
    Admin ->> CIModule: Set-RuleOption -Option 3 (Audit Mode)
13
    Admin ->> CIModule: ConvertFrom-CIPolicy → .cip binary
14
    Admin ->> TestVM: Deploy .cip via MDM / Group Policy
15
    TestVM ->> AuditLog: Run all business applications
16
    AuditLog -->> Admin: Export Event 3076 (would-be-blocked)
17
    Admin ->> CIModule: New-CIPolicy -Audit → Supplemental.xml
18
    Admin ->> PolicyXML: Merge supplemental / add signers
19
    Admin ->> PolicyXML: Remove-RuleOption -Option 3 (remove Audit)
20
    Admin ->> CIModule: ConvertFrom-CIPolicy → enforced .cip
21
    Admin ->> ProdEndpoint: Deploy enforced policy via Intune
22
    ProdEndpoint -->> Admin: UMCI enforced — Event 3077 on violations

9. What Happens If You Get It Wrong#

Scenario A: UMCI Enabled Without Audit Phase#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4
    classDef ok fill:#0d1f12,color:#86efac,stroke:#166534
5

6
    A([Skip Audit Phase]) --> B[Unsigned LOB app blocked]:::block
7
    A --> C[Custom scripts blocked]:::block
8
    A --> D[Third-party AV DLL blocked]:::block
9
    A --> E[Help desk overwhelmed\nwith tickets]:::warn
10
    B --> F([Business disruption]):::block
11
    C --> F
12
    D --> G([AV/EDR partially disabled]):::block
13
    E --> H([Rollback to kernel-only]):::warn
14
    H --> I([Security gap restored]):::block

Scenario B: UMCI Disabled on Critical Asset#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef ok fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
5

6
    A([UMCI not enabled]) --> B[Kernel drivers protected]:::ok
7
    A --> C[User-mode binaries\nrun unchecked]:::block
8
    C --> D[Attacker drops unsigned EXE]:::block
9
    D --> E[LOLBin abuse unrestricted]:::block
10
    E --> F([Credential dump succeeds]):::block
11
    F --> G([Ransomware deploys]):::block
12
    B -.-> H([False sense of security]):::warn

Misconfig Consequences Summary#

Mistake	Impact	Severity
Enable UMCI without audit phase	LOB apps / scripts break	High — operational outage
Forget to include AV/EDR DLLs in policy	EDR partially non-functional	Critical — security blind spot
Deploy to unsigned policy	Policy ignored if UEFI lock enabled	High — policy bypass
Remove UMCI from enforced policy	Full user-mode attack surface reopens	Critical
Enable UMCI without HVCI	UMCI weakened (can be bypassed via kernel exploit)	Medium

10. Valid for Supplemental Policies?#

No. Enabled:UMCI is not valid in supplemental policies. It is a base-policy-only rule option that controls the fundamental enforcement scope of the entire Code Integrity engine. Supplemental policies can only extend the allow rules of the base policy (additional signers, hashes, paths) — they cannot change the enforcement mode or scope.

Attempting to set Option 0 in a supplemental policy will either be silently ignored or cause a policy merge error. The enforcement boundary is always determined by the base policy.

Reference: PolicyType="Supplemental Policy" in the XML schema explicitly restricts which <Option> values are honored.

11. OS Version Requirements#

Windows Version	Support Level
Windows 10 1507 (TH1)	Kernel-mode CI only; UMCI introduced in 1607
Windows 10 1607 (Anniversary Update)	First full UMCI support
Windows 10 1703+	UMCI stable; script enforcement added
Windows 10 1903+	Dynamic Code Security (Option 20) extends UMCI
Windows 11 21H2+	Full support; improved audit tooling
Windows 11 22H2+	Enhanced supplemental policy merge
Windows Server 2016	Supported
Windows Server 2019+	Supported; recommended for DC hardening
Windows Server 2022	Supported; HVCI on by default on new installs

Note: UMCI is most effective when paired with Virtualization-Based Security (VBS) / HVCI. Without HVCI, a kernel-level exploit could bypass UMCI checks. With HVCI, the Code Integrity checks run in the isolated VBS environment, making them tamper-resistant.

12. Summary Table#

Attribute	Value
Rule Option Name	`Enabled:UMCI`
Rule Option Index	0
Default State	Disabled (kernel-only)
Effect when Enabled	WDAC enforces on all user-mode PE images, DLLs, COM objects, scripts
Effect when Disabled	Only kernel-mode drivers are checked
Valid in Base Policy	Yes
Valid in Supplemental Policy	No
Requires Reboot on First Enable	Yes
Requires Reboot on Update	No (for policy updates after first enable)
Paired Best With	Option 3 (Audit Mode) during rollout
Conflicts With	Option 11 (Disabled Enforcement) weakens coverage
Minimum OS Version	Windows 10 1607 / Server 2016
PowerShell Cmdlet (Enable)	`Set-RuleOption -FilePath <xml> -Option 0`
PowerShell Cmdlet (Disable)	`Set-RuleOption -FilePath <xml> -Option 0 -Delete`
Event ID (Audit Block)	3076
Event ID (Enforce Block)	3077
Event Log Location	`Microsoft-Windows-CodeIntegrity/Operational`
Security Framework Alignment	NIST SP 800-167, CIS Controls v8 (Control 2), ACSC Essential Eight (App Control ML3)